In-Depth

Bot Networks and Modular Code Target Enterprises

Increased attacks are driven by money and modularity.

• By Mathew Schwartz
• 10/04/2005

If there’s a word to describe the difference between attacks now and attacks a decade ago, it’s money.

“Attackers are being increasingly motivated by financial gain. They’re less interested in the digital graffiti we saw eight or 10 years ago,” says Dean Turner, executive editor of Symantec’s bi-annual Internet Security Threat Report. The eighth edition of the report, just released, analyzes data collected during the first six months of 2005 from 24,000 security devices deployed in more than 180 countries.

What did researchers find? “During the first half of 2005, malicious code that exposed confidential information represented 74 percent of the top 50 malicious code samples reported to Symantec, up from 54 percent in the previous six months,” says the report.

All told, for the period between January and June 2005, Symantec documented 1,862 new vulnerabilities—an average of 10 new vulnerabilities per day, or a 31 percent increase overall from the last six months of 2004. All told, 97 percent of vulnerabilities were of high severity (complete compromise of a system) or moderate severity, and 84 percent were remotely exploitable. The rapid increase in new vulnerabilities has an easy explanation: the growing use of Web applications, says Turner. “They’re commonly exploited because they provide a high level of customizability.”

The report also notes the number of phishing attacks is growing rapidly. For the first six months of 2005, for example, an average of 5.7 million phishing messages were sent per day, compared with 3 million just six months before. On average, one out of every 125 e-mail messages sent globally is a phishing attacks.

The Year of the Bot

The report especially highlights the degree to which bot networks—composed of compromised or “zombie” PCs which criminals use to launch large-scale spam or denial-of-service attacks—are growing. For the first six months of 2005, bots accounted for 14 percent of Symantec’s top 50 list of the most malicious code.

According to the report, “Symantec observed an average of 10,352 active bot network computers per day, an increase of more than 140 percent from the previous reporting period’s 4,348 bot computers.” Not coincidentally, an average of 927 denial-of-service attacks per day were found, up from 119 per day just six months before. “The most frequently targeted industry was education, followed by small business and financial services.”

Just how many discrete bot networks are there? It’s hard to say, says Turner, “because the number of computers comes on and off the network.” Overall, however, “there have been estimates by some organizations that there are anywhere between a million and two million bot network computers at any one time.” Attackers also offer their bot services to others. Researchers found “bot networks as large as 150,000 hosts were available for rent,” he says.

Symantec anticipates attackers will only grow more sophisticated in their ability to exploit PCs, given the financial payoff of maintaining a large bot network. “As the financial rewards increase, attackers will likely develop more sophisticated and stealthier malicious code that will be implemented in bot features and bot networks, some of which could attempt to disable antivirus, firewall, and other security measures.” They’re also getting stealthier. “It’s becoming increasingly difficult to detect these new types of threats.”

Future Attacks

Another interesting finding is the degree to which attackers now rely on modular code. While the number of new vulnerabilities is beginning to level off, the number of malware variants is increasing. “It’s easier and more affordable for attackers to modify existing code” than it is to create new code, says Turner.

Previously, most malware was all-in-one: it would exploit a vulnerability, infect a user’s PC, take action (such as harvesting information), then replicate itself. Today, however, malware writers are now creating smaller, discrete pieces of code which they use just to get to a user’s computer. Once there, the modular code simply “phones home” to retrieve additional malicious code from the Internet.

Perhaps counter-intuitively, Symantec sees the increase in variants of this more modular code as a more serious problem than it would an increase in discrete types of malware. “Variants produce a greater risk because variants can be produced more quickly, and perhaps not be detected,” says Turner. Furthermore new variants may refine the attack, introducing greater functionality and evading previous detection methods. “They’re posing a greater threat now than they ever had before.”

Related Articles:

Q&A: Targets Shift for Application Security Attacks
http://esj.com/Security/article.aspx?EditorialsID=1505

Regulations, Fear Driving More-Secure Code Development
http://esj.com/Security/article.aspx?EditorialsID=1484